cyberwart

Hello Koko

mjw — Tue, 09 Mar 2010 21:46:23 +0000

Today an in-house tool I’ve been developing (Dragonslayer) triggered on events matching both a PDF signature and traffic to hosts on the MalwareDomainList. In particular it was hitting on ip 79.171.22.190 which is hosted as kokojamba.com.

The host is registered as follows:

Domain Whois record

Queried whois.internic.net with “dom kokojamba.com”…

Domain name: kokojamba.com

Status: Active

Registrant:

Name: Andrzej Ignashevitch

Address: Pulawska, 15

City: Warszawa

Province/state: poland

Country: PL

Postal Code: PL-02515

Administrative Contact:

Name: Andrzej Ignashevitch

Organization: Andrzej Ignashevitch

Address: Pulawska, 15

City: Warszawa

Province/state: poland

Country: PL

Postal Code: PL-02515

Phone: +48.713965232

Fax: +48.713965232

Email: magikmind13@gmail.com

Technical Contact:

Name: Andrzej Ignashevitch

Organization: Andrzej Ignashevitch

Address: Pulawska, 15

City: Warszawa

Province/state: poland

Country: PL

Postal Code: PL-02515

Nameserver Information:

ns1.kokojamba.com

ns2.kokojamba.com

Create: 2010-03-04 20:05:36

Update: 2010-03-04

The admin panel had the default user/password of “admin”:”admin”.

Here’s what’s on the inside:

I wrote a quick python script to download all the compromised host data. It’s available here: http://www.cyberwart.com/files/koko.txt.gz I’m not sure if each IP is compromised or only downloaded a (one or more payloads). It doesn’t appear that simply visiting the site gets you one the list. Also, the files downloaded feature seems broken as I’ve seen payloads delivered but not showing up on the list.

Can you believe that hot blond on Facebook wasn’t just desperate to meet me?!

mjw — Sun, 14 Feb 2010 06:57:51 +0000

So a hot blond decided to randomly add me on Facebook. I know what you’re thinking: “Matt with your dashing good looks, charm, and terrific fashion sense, I’m sure you have models contacting you all the time”. I won’t argue with your logic, but in my boredom I decided to investigate a little. Here’s what I found:

If you think this isn’t normal there’s a job req up on fling:

Trying to get my FIOS Bill

mjw — Sun, 14 Feb 2010 06:16:19 +0000

For weeks I’ve been trying to get my Verizon FIOS bill. Verizon happily debits my credit card every month but I need the receipts. I’ve logged into my account online and all I get is the below message saying the system isn’t working:

I emailed them and got no help:

Note: I LOVE automated completely useless responses.

Verizon decided to step up their incompetence when I tried to access my billing info yet again tonight:

So at this point, I guess I get to spend hours on hold waiting for them. Oh how I love incompetent multinational companies.

New Hex-Rays

mjw — Mon, 01 Feb 2010 15:13:47 +0000

A new version of Hex-Rays is out today. Combined with my eval copy of Binnavi today is just a good day!

16 byte CRC is Common

mjw — Mon, 01 Feb 2010 15:13:11 +0000

Saw this: http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/

The link argues that the unusual CRC in Aurora that uses 16 unsigned ints isn’t actually that uncommon… in fact it’s in a lot of EE type text books.

Laptopantivirus.microsoft.com

mjw — Wed, 27 Jan 2010 18:04:20 +0000

This find is due to Sara. A quick check in the traffic logs for a host sent to the help desk showed a bit odd network traffic. We saw the computer polling laptopantivirus.microsoft.com/block.php. Looking quickly you think, well that’s Microsoft – it’s okay! Well, Microsoft using PHP? That’s not overly likely and the “laptopantivirus” part seems sketchy. If you look at the IP address it’s 195.88.190.54 – Registered to Bigness Group based in Russia.

See below

DoH!

mjw — Mon, 25 Jan 2010 15:52:24 +0000

DoH! is meeting THIS WEDS Jan 27th at 7pm! Again at GWU/Foggy Bottom.

The CON: Real Slim Snipa

mjw — Thu, 21 Jan 2010 00:20:03 +0000

Greetz “Tu Snipa”. Adam, great blog entry: http://www.thecoverofnight.com/blog/?p=214

New Evidence from Secureworks

mjw — Thu, 21 Jan 2010 00:17:58 +0000

Great link here: http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/

Basically they found a CRC algorithm in the binary that Googling appears to indicate is used only in Chinese language forums. Very nice hard data point.

Idle Speculation on Auroras

mjw — Tue, 19 Jan 2010 20:55:56 +0000

Now that the Symantec write up seems legit here’s a little background digging I did the other day on the domains. I think this sort of information is mainly idle speculation, but rather than simply presenting opinions I’m going to provide screenshots. This is based on looking up network information for the domains listed by Symantic, namely:

yahooo.8866.org
sl1.homelinux.org
360.homeunix.com
li107-40.members.linode.com
ftp2.homeunix.com
update.ourhobby.com

Here’s what I saw:

Interestingly here, the first hostname is in Korea – not China. If you want to ping up the admin the info is listed as:

Another domain sl1.homelinux.org is again shared hosted, and it has multiple domains including those associated with Russia:

Another hostname 360.homeunix.com has a little more info. The hostname is set to localhost, but the domain appears to be in the US:

Same with update.ourhobby.com

Though in fairness it appears to be only a US based service:

Li170-40.members.linode.com actually had some info:

If you look above you see the IP is US based with US based points of contact – though one appears to be Canadian as well.

yahoo.8866.org, finally this one appears to be in China

A lot of the speculation is based on IP addresses and where they resolve to. I believe this is a poor way to do analysis. If I were a criminal or a nation state, I would certainly own a lot of 3^rd party easy hosts and create a very complex path that would be near impossible to establish my true identity. I don’t believe the Chinese would be easily attributed back to Chinese IP addresses. Additionally, if you look at the above, it’s not entirely clear that China is the sole source. There are Chinese, Korean, and US hosts/domains. This might provide things to think about as others are speculating about attribution based on where the malware connects back to.

UPDATE:

Saw this link associated with the email address (ppyy@bentium.com): http://archives.neohapsis.com/archives/postfix/2001-05/1841.html. Further if you look up the domain 8866.com you see things like: http://google.com/safebrowsing/diagnostic?site=8866.org/

The more I see the more it looks like a regular malware domain. Maybe “the real badguys” hacked 8866.com to then hack google and those 36 other companies, but if I wanted to say off the radar at all this seems like a really bad idea. I’m thinking regular malware.

All screenshots are from www.centralops.net or www.robtex.com